As some readers might remember from previous posts it isn't possible in Solaris 11 Express to boot from an encrypted ZFS dataset. However it is possible to have encrypted swap space and thus (by default) an encrypted /tmp. That still leaves /var/tmp unencrypted
First lets look at swap space encryption. That is as simple as putting the word "encrypted" into the mount options field of /etc/vfstab for the swap ZVOL. If swap is a ZVOL then ZFS encryption will be used, if swap is a raw disk slice or file then lofi will be interposed between the device/file using a randomly generated key. That is a fully supported solution in Solaris 11 Express implemented by the swapadd command.
For encrypting /var/tmp we need to beyond the provided services and the following (unsupported) method takes its lead from what I did for swapadd and applies it to /var/tmp. Note however that this assumes that nothing in /var/tmp should be preserved on boot and won't even be readable from another boot environment, so if you use this don't put stuff into /var/tmp you want to get access to after a reboot.
This takes advantage of the fact that in SMF we can place dependencies onto other services without modifying them. So while the following makes some basic assumptions about the Solaris ZFS datasets layout it doesn't require modifying any existing binaries or configuration files.
We create a new service svc:/site/system/filesystem/tmp:default this service will create an encrypted dataset for /var/tmp using the manifest and method script that follows:
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
CDDL HEADER START
The contents of this file are subject to the terms of the
Common Development and Distribution License (the "License").
You may not use this file except in compliance with the License.
You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
See the License for the specific language governing permissions
and limitations under the License.
When distributing Covered Code, include this CDDL HEADER in each
file and include the License file at usr/src/OPENSOLARIS.LICENSE.
If applicable, add the following below this CDDL HEADER, with the
fields enclosed by brackets "" replaced with your own identifying
information: Portions Copyright [yyyy] [name of copyright owner]
CDDL HEADER END
Copyright (c) 2011, Oracle and/or its affiliates. All rights revserved.
<service_bundle type='manifest' name='darrenm:etmp'>
<create_default_instance enabled='true' />
<service_fmri value='svc:/system/cryptosvc' />
<service_fmri value='svc:/system/filesystem/minimal' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring' value='transient' />
# CDDL HEADER START
# The contents of this file are subject to the terms of the
# Common Development and Distribution License (the "License").
# You may not use this file except in compliance with the License.
# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
# or http://www.opensolaris.org/os/licensing.
# See the License for the specific language governing permissions
# and limitations under the License.
# When distributing Covered Code, include this CDDL HEADER in each
# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
# If applicable, add the following below this CDDL HEADER, with the
# fields enclosed by brackets "" replaced with your own identifying
# information: Portions Copyright [yyyy] [name of copyright owner]
# CDDL HEADER END
# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
zfs destroy rpool/tmp > /dev/null 2>&1
zfs create -o mountpoint=/var/tmp -o encryption=on -o keysource=raw,file:///dev/random rpool/tmp
chmod 1777 /var/tmp
On reboot what will happen is that a new dataset for /var/tmp will be created. It would be possible to have a more sophisticated method script that doesn't use a hardcoded dataset name of root/tmp but this seems sufficient for now. It will look something like this:
darrenm-pc:pts/1$ cd /var/tmp
darrenm-pc:pts/1$ df -hl .
Filesystem Size Used Available Capacity Mounted on
rpool/tmp 113G 79K 77G 1% /var/tmp
darrenm-pc:pts/1$ ls -ld .
drwxrwxrwt 5 root root 5 May 10 14:39 ./
darrenm-pc:pts/1$ zfs get encryption,keysource,keystatus rpool/tmp
NAME PROPERTY VALUE SOURCE
rpool/tmp encryption on local
rpool/tmp keysource raw,file:///dev/random local
rpool/tmp keystatus available -